Ok, so I am needing a little guidance on what I am missing here.
I am trying to create a signature to protect a certain service/process like McAfee does for its own services using HIPS. I am trying to create a rule to prevent users from changing the statup of the service, modification of the files and termination of the process. I am not seeing where to prevent termination of the service and my file mod rules dont appear to be working. The service mod seems to be working. Any help would be appreciated.
I am not seeing where to prevent termination of the service
Use the PROGRAM engine (open with terminate and open with modify directives).
Page 116 of:
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
my file mod rules dont appear to be working
I'm not exactly sure what protection you're trying to gain with protecting myservice.exe, but if you include the Destination File parameter, then that SubRule will only work for move/rename operations of the file specified. Try without the Destination File parameter, then you shouldn't be able to perform any of the selected directive operations against the filename.
Thanks for the reply, that did point me in the right direction. Still having problems trying to figure out how to write a signature to prevent a process from being terminated. I am trying to located any place that may have signatures posted out on on the web so I can see some examples of similar sigs. Know aof any place?
I'm not aware of any location where customer's post their custom signatures. If any place, I would assume it would be on the McAfee community forums here.
Just a quick signature test, I created this signature to:
*NOTE: Further testing will need to be done to make sure this doesn't cause any issues though.
Thanks for the response Kary. My signature is failing for me still. My three objectives are to prevent a service from being stopped, startup mode changed, process killed, or file removed or renamed. Here are rules I created for a Windows 7 x64 system that only partially works.
1. Rule to prevent file from delete or rename.
This rule seems to work as designed with no problems.
2. Prevent the service from being stopped or startup mode changed
This rule only partially works. it blocked my ability to change the startup mode from automatic to disabled, but it does not prevent me from choosing Stop or Restart.
3. Prevent the process from being terminated by user.
I did at one point get this signature to work, but it would go crazy tripping. Some reason this does not trip anymore after I recreated it. I am guessing that I need to put in a process like taskmgr.exe and cmd.exe under the caller module/include and/or exlcude local\system under user? Not sure why this signature doesnt work though.
Any ideas? Your help is greatly appreciated.
On my Win7 x64 system, I performed all these operations you mentioned just fine with these rules. If you continue to have issues, I would suggest opening a Service Request with McAfee Support to troubleshoot further.
Message was edited by: ktankink. Corrections to protections (in italics). on 6/4/13 5:58:34 PM CDT